Encryption Export Rules Demand Key Recovery
Encryption Export Rules Demand Key Recovery
By Jonathan T. Cain
The Clinton administration claims that its new rules governing the export of encryption software will make it easier for Americans to use strong encryption to protect privacy and valuable information. It permits American entities with overseas operations to use stronger encryption technology than is now licensed for export. However, the new rules will make it easier for government agents to invade the privacy of Americans' secure communications. The new rules also ignore recent rulings on the scope of the First Amendment and the permissible limits on government's prior restraint on investigation of encryption techniques.
In November, the administration transferred jurisdiction of export control of commercial encryption products from the Department of State to the Department of Commerce. Policy makers contend that export of encryption products available to U.S. citizens is harmful to national security and foreign policy objectives of the United States - even where comparable products are available from foreign sources. The November directive also instructed the Commerce Department to control technical assistance in encryption technology and to promote the development and substitution of key recoverable products for nonrecoverable products in its rule making.
The new rules create four licensing schemes, each with differing requirements, depending on the nature of the encryption product. The least restrictive procedures apply to so-called "mass market" encryption object code that employs keys of up to 40 bits. Mass market encryption products, if approved for export after a one-time review, may be exported without further license. A second category of permissible exports is comprised of key escrow, key recovery and recoverable encryption products.
Recoverable products may be licensed after a one-time review, provided that, prior to export or re-export, a key recovery agent acceptable to government regulators has been identified. Nonrecoverable encryption products using up to a 56-bit key constitute a third category of exportable products. Nonrecoverable products may receive a license, but only if the exporter commits to replace such products with recoverable encryption within a two-year period.
The license for nonrecoverable products is granted for six-month periods, and renewal is conditioned upon the exporter meeting specific deadlines spelled out in a licensing plan for product development, marketing and establishment of key recovery infrastructure. All other encryption products proposed for export will be evaluated on a case-by-case basis, and there is no indication in the rules that licenses for products other than those in the three approved categories will be granted.
The rules define a recoverable encryption product as one in which the cryptographic functions are rendered inoperable until the keys required to decipher their output are available to government agents. The software must be designed to be inoperable in the event the user attempts to alter the recovery features. The recovery capability must permit government agents to decipher the output without the knowledge or cooperation of the user and must allow the government agent, once he has received the key, to decipher all ciphered text created or received to which the key applies.
The key escrow agent must be approved by the agency before a license will be granted. Escrow agents are required to make keys available to government agents within two hours of a request and are not permitted to disclose to the user the fact that the government has requested or received a key.
Exporters seeking a mass-market exemption to export weak encryption products may obtain an exemption if the software is generally available through retail channels and is designed to be installed by the purchaser without support. The encryption software must use the RSA proprietary RC2 or RC4 algorithm (not both) with a key space no longer than 40 bits. The agency will provide material for a test of the encryption output to ensure that it is suitably insecure from government deciphering. If the mass market software does not use the proprietary RC2 or RC4 algorithms, a more complicated and time-consuming process is required.
The Commerce Department missed an opportunity to rid the export regulations of an anomaly that defies reasoned analysis. Encryption source code in printed format is not subject to control. The rules maintain, however, that the same source code on a diskette or CD-ROM will be controlled.
The Commerce Department is still undecided over whether printed source code on a form amenable to scanning should be treated differently from "non-scanable" printed code.
This inconsistency has been discredited by at least one federal court, which ruled last year that source code published in electronically readable formats is no less subject to the protections of the First Amendment than is the same expression in printed format. Nevertheless, the rules will be burdened with this inconsistency because the government has elected to appeal and cannot adopt a more logical rule while the appeal is
Jonathan T. Cain chairs the Technology Practice Group of Mays & Valentine LLP, McLean, Va. His e-mail address is firstname.lastname@example.org.